| 1 |
type: security |
| 2 |
subject: Updated ghostscript packages fix security vulnerabilities |
| 3 |
CVE: |
| 4 |
- CVE-2018-15908 |
| 5 |
- CVE-2018-15909 |
| 6 |
- CVE-2018-15910 |
| 7 |
- CVE-2018-15911 |
| 8 |
- CVE-2018-16509 |
| 9 |
- CVE-2018-16510 |
| 10 |
- CVE-2018-16511 |
| 11 |
- CVE-2018-16513 |
| 12 |
- CVE-2018-16539 |
| 13 |
- CVE-2018-16540 |
| 14 |
- CVE-2018-16541 |
| 15 |
- CVE-2018-16542 |
| 16 |
- CVE-2018-16543 |
| 17 |
- CVE-2018-16802 |
| 18 |
src: |
| 19 |
6: |
| 20 |
core: |
| 21 |
- ghostscript-9.24-1.5.mga6 |
| 22 |
description: | |
| 23 |
Updated ghostscript packages fix several security vulnerabilities |
| 24 |
including: |
| 25 |
|
| 26 |
In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply |
| 27 |
malicious PostScript files to bypass .tempfile restrictions and write files |
| 28 |
(CVE-2018-15908). |
| 29 |
|
| 30 |
In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the |
| 31 |
.shfill operator could be used by attackers able to supply crafted PostScript |
| 32 |
files to crash the interpreter or potentially execute code (CVE-2018-15909). |
| 33 |
|
| 34 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
| 35 |
PostScript files could use a type confusion in the LockDistillerParams |
| 36 |
parameter to crash the interpreter or execute code (CVE-2018-15910). |
| 37 |
|
| 38 |
In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply |
| 39 |
crafted PostScript could use uninitialized memory access in the aesdecode |
| 40 |
operator to crash the interpreter or potentially execute code |
| 41 |
(CVE-2018-15911). |
| 42 |
|
| 43 |
An issue was discovered in Artifex Ghostscript before 9.24. Incorrect |
| 44 |
"restoration of privilege" checking during handling of /invalidaccess |
| 45 |
exceptions could be used by attackers able to supply crafted PostScript |
| 46 |
to execute code using the "pipe" instruction (CVE-2018-16509). |
| 47 |
|
| 48 |
An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec |
| 49 |
stack handling in the "CS" and "SC" PDF primitives could be used by remote |
| 50 |
attackers able to supply crafted PDFs to crash the interpreter or possibly |
| 51 |
have unspecified other impact (CVE-2018-16510). |
| 52 |
|
| 53 |
An issue was discovered in Artifex Ghostscript before 9.24. A type |
| 54 |
confusion in "ztype" could be used by remote attackers able to supply |
| 55 |
crafted PostScript to crash the interpreter or possibly have unspecified |
| 56 |
other impact (CVE-2018-16511). |
| 57 |
|
| 58 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
| 59 |
PostScript files could use a type confusion in the setcolor function to |
| 60 |
crash the interpreter or possibly have unspecified other impact |
| 61 |
(CVE-2018-16513). |
| 62 |
|
| 63 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
| 64 |
PostScript files could use incorrect access checking in temp file handling |
| 65 |
to disclose contents of files on the system otherwise not readable |
| 66 |
(CVE-2018-16539). |
| 67 |
|
| 68 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
| 69 |
PostScript files to the builtin PDF14 converter could use a use-after-free |
| 70 |
in copydevice handling to crash the interpreter or possibly have unspecified |
| 71 |
other impact (CVE-2018-16540). |
| 72 |
|
| 73 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
| 74 |
PostScript files could use incorrect free logic in pagedevice replacement |
| 75 |
to crash the interpreter (CVE-2018-16541). |
| 76 |
|
| 77 |
In Artifex Ghostscript before 9.24, attackers able to supply crafted |
| 78 |
PostScript files could use insufficient interpreter stack-size checking |
| 79 |
during error handling to crash the interpreter (CVE-2018-16542). |
| 80 |
|
| 81 |
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution |
| 82 |
allow attackers to have an unspecified impact (CVE-2018-16543). |
| 83 |
|
| 84 |
An issue was discovered in Artifex Ghostscript before 9.25. Incorrect |
| 85 |
"restoration of privilege" checking when running out of stack during |
| 86 |
exception handling could be used by attackers able to supply crafted |
| 87 |
PostScript to execute code using the "pipe" instruction. This is due to |
| 88 |
an incomplete fix for CVE-2018-16509 (CVE-2018-16802). |
| 89 |
|
| 90 |
GS Bug 699663 : .setdistillerkeys memory corruption. (CVE Requested) |
| 91 |
|
| 92 |
GS Bug 699699 : Crash upon bogus input argument |
| 93 |
|
| 94 |
GS Bug 699719: Fix @ files in arg handling |
| 95 |
|
| 96 |
GS Bug 699711: Review arg_next to ensure that NULL arg returns are coped with |
| 97 |
|
| 98 |
GS Bug Fix SEGV seen in all-devices test with plank examples/ridt91.eps |
| 99 |
|
| 100 |
GS Bug 699708 (part 1): 'Hide' non-replaceable error handlers for SAFER |
| 101 |
|
| 102 |
GS Bug 699707: Security review bug - continuation procedures |
| 103 |
references: |
| 104 |
- https://bugs.mageia.org/show_bug.cgi?id=23526 |
| 105 |
- https://www.ghostscript.com/doc/9.24/History9.htm#Version9.24 |
| 106 |
- http://openwall.com/lists/oss-security/2018/09/05/3 |
| 107 |
- http://openwall.com/lists/oss-security/2018/09/06/3 |
| 108 |
- http://openwall.com/lists/oss-security/2018/09/09/1 |
| 109 |
- http://openwall.com/lists/oss-security/2018/09/09/2 |
| 110 |
- http://openwall.com/lists/oss-security/2018/09/11/1 |
| 111 |
ID: MGASA-2018-0378 |
Parent Directory
| 
Revision Log